Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Safe Mode [RESOLVED]

genzi

Posted 09 September 2005 - 05:42 PM

genzi

Member

Member

30 posts

I can get all of the way to safe mode but when the information box come asking to click yes or no it only holds for a few seconds then disappears.
A few time I have been able to get the icons to load but the same it disappears.
task manager is blank.
any solution.

genzi

Posted 11 September 2005 - 11:29 AM

genzi

Member

Topic Starter

Member

30 posts

While browsing win fixer problems ran across "loophole" who mentioned reversing suspected file name. The files I think are the cause end in comip.dll so I went to search typed in pimoc and came up with five files. Previousley ran spybot and trend micro which keep finding 5 DSO exploit files (spybot) or trojan vundo's Trend Micro. Delete themand they come back usually at next login.I deleted the five pimoc files, restarted computer and tried safe mode right in without a problem. Looked at Hijack this suspect files still there. The pimoc returned to the windows repair file along with the repair\comip.dll.here is the Hijack this log.I have installed vundo fix and cleaner along with some others.Can you give me some insight on how to clean these remaining.Logfile of HijackThis v1.99.1Scan saved at 1:12:21 PM, on 9/11/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

In there you will see a file called safeboot.txt, please copy and paste that on to this post.

1. Right-click My Computer, and then click Properties.-or-Click Start, click Run, type sysdm.cpl, and then click OK.2. On the Advanced tab, click Settings under Startup and Recovery.3. Under System Startup, click Edit. This opens the file in Notepad ready for editing.4. copy and paste that entire log onto this post please

download Getservices.zip from the link below and extract the zip file to your C: drive. Once it is extracted there will be a directory on your C: drive called getservice. Inside the C:\getservice directory will be a file called getservice.bat . Simply double-click on the getservice.bat file and when it is completed a notepad will open with a lot of information. copy the entire contents of that notepad to a reply to this posthttp://www.bleepingc...getservices.zip

SERVICE_NAME: BITS
Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : Rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

Excal

Posted 11 September 2005 - 04:32 PM

Excal

Malware Slayer Extraordinaire!

Retired Staff

12,739 posts

this sometimes works so lets give it a go:

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.

Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

genzi

Posted 11 September 2005 - 05:11 PM

genzi

Member

Topic Starter

Member

30 posts

Is this procedure to get me into safe mode? If it is I am letting you know that when I deleted the 5 "pimoc" files my safe mode worked just fine and still is working.
I am now looking for the correct procedure to rid the computer of the "comip.dll" files in the repair folder, I think ???? and the vundo stuff.
Does anything I have done so far have to be reversed???
by accident I first typed in 'regedit / e c \safeboot.txt' not the whole text as you directed. does this affect anything.
Thanks

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning and a list of forums to seek help at.
it should look like this

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\repair\comip.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\repair\pimoc.* This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).Set the program up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

genzi

Posted 11 September 2005 - 07:47 PM

genzi

Member

Topic Starter

Member

30 posts

Well not so smooth. When I finished with the second entry "file name backwards" and hit the last enter to take me to Hijack This it started running and my norton poped up with a critical warning telling me to delete it. I was not sure if this was the program or the virus. I chose to let it run once. Then it ran and a info screen came up.Windows Script HostC:\Documents and Settings\starthjt.vbsLine 3Char 2Error System cannot find fileCode 80070002Source Null

I clicked ok and it proceeded.Manually rebootedManually went to HiJack ThisThe number 02 BHO was goneThe number 20 Winlogon was present with (folder empty) or something to that effect.I checked it and fixedRan again....looks to be gone ????

Second mess up ran cleaner but had more options checked than you suggested. Had the sandard seven options when I clicked on run.My fault for not reading ahead.

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs: *Note - do not use more than one anti-virus program as it will more than likely cause conflict.

genzi

Posted 12 September 2005 - 11:08 AM

genzi

Member

Topic Starter

Member

30 posts

Started the day off virus free. No aparent problems except for a lot of allow cookies functions since I tighted up security.
If I decide to use anoteher browser what happens to IE. I do have SBC as my default I believe.
Does it matter if there is another user.
I not at all happy with Macaffee which I had when the problem originated. I spoke to them and they sold me a bunch of worthless programs. I deleted them and installed Norton as a replacement. At least norton picks up a few things. I also tried trend micro Fly catcher and it works better than the last two. It was the one that ID'd trojan vundo by name.
I may install one that you have recommended.

Thanks for the quick response and help, I will be visiting tis site often.
But I hope not for virus removal.